On Mon, Nov 23, 2020 at 12:49:25PM +0100, Peter van Dijk wrote:
> On Fri, 2020-11-20 at 20:47 +0100, Vladimír Čunát wrote:
> >
> > In retrospect I see that what I wrote is very similar to Manu's
> > "Do9" except for replacing WebPKI by TLSA, with all their pros
> > and cons:
> >
On Fri, 2020-11-20 at 12:14 -0800, Brian Dickson wrote:
>
> I think we (the three of us and maybe Tony Finch, if not the whole DNS
> community) may be converging on a design that will, I believe, work.
This is not the first time that design has been proposed. It is the
first time it was not met
On Fri, 2020-11-20 at 20:47 +0100, Vladimír Čunát wrote:
> On 11/19/20 2:05 PM, Peter van Dijk wrote:
> > 1. auth operators publish TLSA records for their NSes
> > 2. the registry, while generating zone files, queries for those TLSA records
> > 3. from the found TLSA records, the registry
On 11/20/20 9:14 PM, Brian Dickson wrote:
> So, using a new algorithm for whatever we do, should be 100% backward
> compatible.
Yes, it should be. A few different proposals have been relying on that
already, for DS or DNSKEY. It is possible that some validators still
have bugs around this, but
On Fri, Nov 20, 2020 at 11:47 AM Vladimír Čunát
wrote:
> On 11/19/20 2:05 PM, Peter van Dijk wrote:
> > 1. auth operators publish TLSA records for their NSes
> > 2. the registry, while generating zone files, queries for those TLSA
> records
> > 3. from the found TLSA records, the registry
On 11/19/20 2:05 PM, Peter van Dijk wrote:
> 1. auth operators publish TLSA records for their NSes
> 2. the registry, while generating zone files, queries for those TLSA records
> 3. from the found TLSA records, the registry generates DOTPIN DSes
> 4. the DOTPIN DSes are published alongside the
Please bear with me while I take you on a rollercoaster :-)
We introduce our three actors:
DOTPIN:
https://datatracker.ietf.org/doc/draft-vandijk-dprive-ds-dot-signal-and-pin/ -
pin TLS key material in a DS record. Scales badly if one NSset hosts 100k
domains, basically preventing you from